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Abstract.  Most  trace-based  proof  systems  for  networks  of  processes  are  known 
to  be  incomplete.  Extensions  to  achieve  completeness  are  generally 
complicated  and  cumbersome.  In  this  paper,  a  simple  trace  logic  is  defined  and 
two  examples  are  presented  to  show  its  inherent  incompleteness.  Surprisingly, 
both  examples  consist  of  only  one  process,  indicating  that  network  composition 
is  not  required  for  incompleteness.  Axioms  necessary  and  sufficient  for  the 
relative  completeness  of  a  trace  logic  are  then  presented.  The  axioms  are 
substantially  simpler  than  existing  extensions  intended  to  achieve  the  same 
goal. 
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l.  Introduction 


Most  formalisms  for  networks  in  which  the  specification  of  a  network  can  be  completely 
deduced  from  the  specifications  for  its  constituent  processes  are  trace-based,  In  them,  one 
specifies  and  reasons  about  traces  (histories)  of  the  values  transmitted  along  the 
communication  channels  of  the  network.  Trace-based  proof  systems  are  defined  in  [CH81, 
Ho81,  Ho85,  MC81],  but  unfortunately  they  exhibit  incompleteness  [BA81,  Ng85j.  Simple 
trace  logics  are  modified  to  increase  expressiveness  in  [Jo85,  Pr82]  and  to  obtain  completeness 
in  [BA81,  HH83,  NDG086,  ZRE84],  The  modifications  tend  to  be  extensive  and  cumbersome, 
the  simplicity  of  the  underlying  logic  is  lost. 

This  paper  explores  incompleteness  in  simple  trace-based  proof  systems  and  identifies  two 
extensions  that  are  necessary  and  sufficient  for  achieving  relative  completeness.  The  first 
source  of  incompleteness  is  the  inability  to  state  and  reason  about  constraints  on  the  temporal 
ordering  of  network  events.  The  second  source  is  the  inability  to  assert  that  the  sequence  of 
values  transmitted  along  a  communication  channel  is  always  a  prefix  of  that  channel’s 
sequence  at  some  later  point.  These  two  properties — the  temporal  ordering  and  prefix 
properties — must  be  available  as  reasoning  tools  in  any  (relatively)  complete  proof  system. 

The  need  for  axiomatizations  of  these  properties  is  illustrated  using  two  examples,  each 
consisting  of  a  single  process.  The  examples  demonstrate  that,  while  compositionality  is  an 
important  feature  of  trace-based  logics,  incompleteness  is  caused  not  by  network  composition 
but  by  the  inability  to  express  the  temporal  ordering  and  prefix  properties  We  also  prove  that 
adding  temporal  ordering  and  prefix  axioms  to  a  trace  logic  suffices  for  achieving  relative 
completeness. 

Section  2  describes  the  class  of  synchronous  process  networks  used  in  the  remainder  of  the 
paper  In  Section  3,  we  define  Simple  Trace  Logic  [STL ),  a  formalism  and  proof  system  for 
network  specification  and  verification  that  captures  the  essence  of  most  trace-based  systems 
The  incompleteness  of  STL  is  shown  in  Section  4.  To  reason  about  the  proof  system  it  is 
necessary  to  introduce  a  computational  model;  we  do  this  in  Section  5.  The  model  is  based  on 
the  computation  tree,  which  captures  all  possible  behaviors  of  a  given  process  or  network  In 
Section  6,  the  ideas  discussed  in  Section  4  are  formalized,  providing  axiomatizations  of  the 
temporal  ordering  and  prefix  properties,  along  with  a  proof  of  their  necessity  and  sufficiency 
Finally,  in  Section  7  we  draw  conclusions,  explain  how  our  results  relate  to  existing  proof 
systems,  and  discuss  future  work 


2.  Process  Networks 


Consider  networks  of  processes  that  communicate  and  synchronize  solely  by  message 
passing.  Processes  and  communication  channels  are  uniquely  named.  Each  channel  is  either 
internal  or  external  with  respect  to  a  network.  An  internal  channel  connects  two  processes  of 
the  network;  an  external  channel  is  connected  to  only  one.  Channels  are  unidirectional,  and 
communication  along  them  is  synchronous1,  so  both  processes  incident  to  an  internal  channel 
must  be  prepared  to  communicate  before  a  value  is  actually  transmitted.  External  channels 
permit  communication  with  the  environment  of  the  network;  input  or  output  on  an  external 
channel  occurs  whenever  the  incident  process  is  ready.  Without  loss  of  generality,  we  assume: 

[2.0. 1 1  Message  transmission  occurs  instantaneously. 

[2.0.2]  Two  message  transmissions  cannot  occur  simultaneously  Thus,  there  is  a  total  order 
on  the  communication  events  of  a  given  computation. 

[2.0.3]  There  is  a  fixed  domain  of  values  that  can  be  transmitted  on  communication  channels. 
Processes  send  and  receive  values  in  this  domain  only. 

A  network  made  up  of  processes  P/,  P^,  ...,  P„  is  denoted  by  P/  ||  P^  ||  ...  ||  Pn,  indicating  the 
parallel  execution  of  the  component  processes.  Fig  1  illustrates  a  network  of  three  processes 
and  eight  communication  channels 


c6 


Figure  1.  A  network  of  processes 


1  Extension  to  asynchronous  message  passing  is  straightforward,  immaterial  to  the  incompleteness  problem,  and 
therefore  not  discussed  here. 
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3.  Simple  Trace  Logic 


Our  formalism  for  specifying  and  verifying  networks  is  called  Simple  Trace  Logic  ( STL ).  It 
concisely  captures  trace-based  reasoning. 

3.1.  Channel  Traces 

A  specification  is  a  first-order  predicate  that  is  satisfied  by  every  possible  execution  of  the 
process  or  network  it  specifies.  The  predicate  is  defined  over  channel  traces — the  sequences  of 
values  transmitted  on  communication  channels  during  execution. 

Let  c  be  a  channel.  In  a  specification,  c  denotes  a  finite  sequence,  ( cq ,  c;,  ...  c indicating 
the  values  transmitted  along  channel  c,  in  order  We  use  the  following  notational  conventions: 

•  ( )  denotes  the  empty  sequence. 

•  Icl  denotes  the  length  of  sequence  c. 

•  cl  Q  c2  denotes  that  sequence  cl  is  a  prefix  of  sequence  c2.  Note  that  S  is  reflexive 

3.2.  Process  Specifications 

A  sper'fication  for  a  process  P  is  a  predicate  S  over  the  traces  of  P’s  incoming  and  outgoing 
channels.  We  say  that  P’s  behavior  satisfies  S,  written  P  sat  S,  if,  at  every  point  during  any 
computation  of  P,  the  traces  of  the  values  transmitted  on  channels  incident  to  P  satisfy  S  For 
example,  suppose  process  P3  of  Fig.  I  repeatedly  reads  an  integer  from  cS  and  writes  its 
successor  to  c4.  We  can  formulate  this  in  STL  as 

[3.2.1]  P3  sat  (Ic8l-l<lc4lslc8l)  a  (Vi:  0«Si<lc4l:  c4j  =  cSt+  1). 

3.3.  Network  Specifications  and  Proof  Rules 

A  specification  for  a  network  N  =  P/  ||  P$  ||  ...  |j  P*  is  also  a  predicate  S  over  the  traces  of  its 
(internal  and  external)  channels.  N  sat  S  if,  given  any  behavior  of  N  up  to  any  point  in  time, 
the  traces  of  values  transmitted  along  ATs  channels  satisfy  S. 

The  axioms  of  STL  consist  of  all  formulas  P  sat  S,  where  S  is  a  specification  satisfied  by 
every  possible  execution  of  process  P  A  specification  of  a  network  is  to  be  based  solely  on 
specifications  for  its  primitive  component  processes,  how  these  primitive  specifications  are 
obtained— or  even  how  processes  are  programmed — is  not  important.  This  puts  STL  at  a  level 
of  abstraction  that  hides  all  details  except  those  relevant  to  the  question  of  completeness 

Specifications  for  networks  can  be  derived  from  specifications  for  their  component  processes 
by  using  the  following  inference  rule 
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[3.3.1]  Network  Composition  Rule: 


(  Vi:  1  Sis n:  P,  sat  St ) 


Pi  \\P2\\  -\\Pn  sat  A,S, 

Conjoining  specifications  of  processes  using  [3.3.1]  results  in  "linking”  any  shared  channels 
because  in  A,  Su  all  c’s  (say)  refer  to  the  same  channel  trace. 

In  addition,  we  have  the  following  inference  rule: 

[3.3.2]  Consequence  Rule:  N  sat  Si,  Si  =*  S2 

N  sat  S2 

These  two  inference  rules,  or  variants  thereof,  underlie  all  trace-based  proof  systems  we  know 
of,  including  [CH81,  Ho85,  MC81,  NDG086], 

4.  Incompleteness  of  Simple  Trace  Logic 

Specification  S  is  valid  for  a  process  or  network  PN  if  every  execution  of  PN  ( up  to  any  point 
in  time)  yields  channel  traces  that  satisfy  S  We  would  like  STL  to  be  sound — i.e.  if  we  use  STL 
to  prove  N  sat  S,  then  indeed  S  is  valid  for  network  N.  A  rigorous  soundness  proof  requires  a 
computational  model  [Ap81,  CK73,  Co78],  which  we  give  in  Section  5. 

We  would  also  like  STL  to  be  complete — i.e.  if,  whenever  some  specification  S  is  valid  for 
network  N,  then  iV  sat  S  is  provable  using  STL.  However,  a  network  specification  is  derived 
using  [3.3  1]  from  specifications  for  its  component  processes.  If  these  specifications  are  valid, 
but  too  weak,  then  we  may  not  be  able  to  prove  a  given  valid  network  specification.  Thus,  what 
we  really  want  to  know  is  whether  we  can  prove  N  sat  S  when  the  specifications  given  for  the 
primitive  processes  comprising  N are  as  "strong”  as  possible. 

[4.0. 1  ]  Definition:  A  specification  S  is  precise  for  a  process  or  network  PN  iff 

(1)  S  is  valid  for  PN. 

(2)  Any  computation  that  satisfies  S  is  a  possible  computation  of  PN 

A  precise  specification  for  a  process  or  network,  then,  exactly  characterizes  its  possible 
computations.  Hence,  for  completeness,  we  are  merely  interested  in  the  provability  of  N  sat  S 
when  S  is  valid  and  the  specifications  for  the  processes  in  N  are  precise 

STL  specifications  can  involve  elements  of  the  data  domain  from  which  messages  are 
drawn,  sequences  of  such  elements,  and  lengths  of  sequences.  Since  number  theory  itself  is 
incomplete  [S67],  a  valid  assertion  involving  sequence  lengths  might  not  be  provable  in  any 
system.  When  designing  a  programming  logic,  one  actually  aims  for  relative  completeness 
[Co78|:  Assuming  that  one  can  prove  any  valid  statement  of  predicate  logic,  number  theory. 
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and  the  data  domain  of  the  network  being  considered,  is  the  proof  system  complete92  STL  is  not 
relatively  complete,  as  we  now  show. 

4.1.  Temporal  Ordering  Property 

Consider  the  single-process  network  of  Fig.  2.  As  an  informal  description  of  process  P  we 
are  given  four  facts:  (1)  P  reads  at  most  one  value  from  channel  t;  (2)  P  reads  at  most  one  value 


Figure  2.  Single-process  network 

from  channel  j\  (3)  P  reads  a  value  from  i  before  reading  from  j.  (4)  P  reads  a  value  from  j 
before  reading  from  i.  A  formal  specification  is 

[4.1.11  P  sat  SI.  liisl  A  l/isl  A  lyifiltl  A  lilsSI/i. 

Let  the  data  domain  for  this  network  be  {a}.  The  following  specification  is  valid  for  P  and  is 
equivalent  to  [4. 11): 

[4.1.2]  P  sat  S2:  (  i  =  ( )  A  j  —  () )  v  ( i  =  (a>  A  j~(a )) 

P  is  always  in  one  of  two  states:  either  no  values  have  been  read  from  i  and  j  or  one  a  has 
been  read  from  each.  However,  P  can  reach  a  state  in  which  (i  =  (a)  A-  j  =  <a>)  only  if  iq  and  jq  are 
transmitted  simultaneously.  Since  this  cannot  happen  (by  assumption  [2  0.2}),  P  can  never 
read  a  value  from  i  or  j.  Therefore,  a  third  valid  specification  for  P  is 

[4.1.31  P  sat  S3:  i  =  ()A  j  =  (). 

All  three  specifications  are  valid  and,  in  fact,  precise  Any  computation  satisfying  S 1  ,S2,  or 
S3  is  a  computation  of  P — no  values  are  ever  read  on  i  or  j.  However,  consider  an  attempt  at 
proving  [4  1  31  given  precise  specification  S2  (say)  of  [4.1.21.  Since  there  is  only  a  single 
process,  the  network  composition  rule  is  irrelevant,  and  the  only  inference  we  can  uso  is  the 
consequence  rule  But  S2  =>  S3  does  not  hold.  Hence  (4  1.31  is  unprovable.  even  though  it  is 
valid 

2  Most  proof  systems  make  assumptions  about  both  the  provability  of  predicate  logic  statements  and  the 
expressiveness  of  the  specification  language  involved  This  is  sometimes  referred  to  as  Cook  completeness  Aptfl . 
fo78l.  We.  too.  have  made  an  expressiveness  assumption  in  our  supposition  that  precise  specifications  lor  the 
component  processes  can  be  written  in  STL.  The  reader  should  convince  himself  that  our  language  is  powertul 
enough  to  express  precise  specifications  for  a  large  class  of  primitive  processes. 
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We  need  a  way  to  formalize  the  reasoning  about  event  ordering  used  to  obtain  [4.1  3].  It 
must  assert  the  following 

[4.1.4]  Temporal  Ordering  Property.  Suppose  cl  and  c2  are  channels  of  a  network  N,  clx  and 
c2y  are  transmitted  as  a  result  of  distinct  communication  events,  and  in  any 
computation  of  N 

( 1 )  clx  must  be  transmitted  before  c2v,  and 

(2)  c2y  must  be  transmitted  before  c/x. 

Then  Ilc2l<x  A  Ic2l<y)  holds  throughout  any  computation  of  Af — neither  message  will 
be  transmitted. 

Property  [4  14]  allows  S3  to  be  deduced  from  S2,  making  [4.1.3]  provable. 

4.2.  Prefix  Property 

Consider  a  network  with  one  process  and  one  communication  channel  (see  Fig.  3).  Suppose 
the  network  has  (a,  b }  as  its  data  domain.  Let  a  precise  specification  for  process  P  be 


Figure  3  Simplest  network  of  all 
[4.2.1]  P  sat  S4  1  =  0  V  i  -  (a)  v  i  =  <b,  a). 

Since  P  can  send  only  one  value  at  a  time  on  channel  i,  i  =  (b,  a)  can  never  be  attained — it  would 
be  reachable  only  from  i  =  (6>,  which  is  prohibited  by  S4  Therefore,  [4  2. 1 1  can  be  simplified  to 

[4  2  2]  P  sat  S5  i.  Q  (a). 

However,  S4  does  not  imply  S5,  and  therefore  [4.2  2]  cannot  be  proved  from  precise 
specification  (4.2  1  ].  Here,  we  need: 

[4.2.3]  Prefix  Property:  For  any  channel  c  and  integers  0<x<_v,  the  trace  of  c  after  x  values 
have  been  transmitted  is  always  a  prefix  of  the  trace  of  c  after  v  values  have  been 
transmitted. 

By  applying  the  prefix  property  to  S4,  we  can  eliminate  the  disjunct  i  =(b.  a>  and  obtain  [4  2.2| 

4.3.  Augmenting  the  Proof  System 

Consider  any  STL  proof  that  establishes  .V  sat  ,S  for  a  network  ,V  =  P;  j  P>  |  i|  Pn  As 
axioms,  we  are  given  Pj  sat  S;,  P$  sat  S*.  .  Pn  sat  S,.  where  S/.  S«.  .  Sr  are  precise  The 


first  rule  to  be  applied  in  any  such  proof  is  necessarily  the  network  composition  rule,  so  we 
immediately  obtain  N  sat  A,  S,.  (In  Section  5  we  show  that  A,  Sj  is  in  fact  a  precise 
specification  for  N.)  All  remaining  steps  in  the  proof  must  then  be  applications  of  the 
consequence  rule.  Since  any  string  of  consequence  rule  applications  can  be  collapsed  into  one, 
we  see  that  N  sat  S  is  provable  if  and  only  if  A,  S,  ^  S,  a  formula  of  predicate  logic.  The  two 
examples  given,  however,  demonstrate  that  such  an  implication  might  not  hold.  By 
strengthening  the  antecedent,  we  can  guarantee  that  the  implication  will  be  valid  Thus,  we 
must  find  a  set  of  axioms  such  that  if  A  (say)  is  the  conjunction  of  the  axioms  in  the  set,  then 
l  A,  St  A  A)  =>  S  is  valid  whenever  it  should  be  possible  to  deduce  S  from  A,  S;.  The  temporal 
ordering  and  prefix  properties  are  the  basis  for  such  a  set  of  axioms. 

The  remainder  of  the  paper  is  a  formalization  of  the  concepts  and  results  presented  thus  far. 

5.  Computational  Model 

Proving  soundness  and  (relative)  completeness  requires  a  model  of  network  behavior 
[Ap81,  CK73,  Co78i.  The  model  is  used  to  formalize  the  notions  of  valid  and  precise 
specifications.  We  can  then  prove  that  STL  is  sound,  we  can  show  that  the  conjunction  of 
precise  process  specifications  results  in  a  precise  network  specification,  and,  most  importantly, 
we  can  formalize  the  temporal  ordering  and  prefix  properties,  allowing  us  to  prove  that  they  are 
necessary  and  sufficient  for  relative  completeness. 

Our  model  is  based  on  the  computation  tree.  Every  process  or  network  is  represented  by  one 
computation  tree.  The  structure  of  the  tree  describes  all  and  only  potential  execution  sequences 
of  the  process  or  network;  vertices,  called  trace-sets,  are  sets  of  communication  channel  traces, 
and  edges  represent  a  single  step  of  execution.  In  all  computation  trees 

(5.0. 1 1  The  root  of  the  tree  is  the  trace-set  in  which  all  channel  traces  are  empty,  corresponding 
to  the  initial  state  of  a  computation 

(5.0.21  The  children  of  a  trace-set  TS  within  the  computation  tree  are  exactly  those  trace-sets 
that  extend  one  channel  trace  of  TS  by  one  element,  where  the  extension  corresponds  to 
a  communicat’on  event  that  might  actually  be  performed 

Internal  computations  of  a  process  are  irrelevant  when  reasoning  about  network  behavior, 
except  as  they  affect  the  values  sent  and  received.  Thus  the  tree  does  not  include  such  changes 
of  process  state  Since  our  system  allows  for  reasoning  about  both  finite  and  infinite 
computations,  trees  can  be  of  finite  or  infinite  depth.  The  domain  of  communicable  values 
corresponds  to  the  breadth  of  a  tree;  it  too  can  be  finite  or  infinite.  (There  is  some  similarity 
here  to  the  CCS  synchronization  tree  [ Mi80 ]  ) 
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We  first  describe  computation  trees  for  primitive  processes  and  then  show  how  a 
computation  tree  for  a  network  is  built  from  trees  for  its  component  processes. 

5.1.  Computation  Trees  for  Processes 

The  behavior  of  a  process  P  is  modeled  as  a  computation  tree.  As  an  example,  consider  the 
network  of  Fig.4.  MERGE  repeatedly  and  nondeterministicallv  reads  a  value  from  i  or  j  and 
then  writes  it  on  k.  BUFFER  simply  copies  values  from  k  to  j,  with  an  arbitrary  amount  of 
internal  buffering  Let  the  data  domain  for  the  network  be  {a}.  The  initial  portions  of  the 
computation  trees  for  MERGE  and  BUFFER  are  illustrated  in  Figs.  5  and  6. 


J 


Figure  4.  Example  network 

5.2.  Computation  Trees  for  Networks 

The  computation  tree  for  a  network  is  defined  in  terms  of  the  computation  trees  for  the 
network’s  constituent  processes. 3  First,  we  define  compatibility  of  trace-sets — the  criteria  for 
determining  when  a  group  of  trace-sets  from  process  computation  trees  can  coexist  and  hence 
can  be  combined  into  a  single  trace-set  of  a  network  computation  tree.  Let  TS/,  TS?,  ....  TS,,  be 

trace-sets,  one  each  from  the  computation  trees  for  processes  P/,  . P„  of  a  network.  This 

group  of  trace-sets  is  compatible  iff  for  all  channels  c  such  that  a  trace  of  c  appears  in  both  TS , 
and  TSj,  the  trace  of  c  in  TS,  is  identical  to  the  trace  of  c  in  TSj  Thus,  trace-sets  are  compatible 
when  the  exact  same  transmissions  have  occurred  on  any  channels  they  have  in  common. 
When  an  appropriate  set  of  compatible  trace-sets  is  identified  (the  identification  procedure  is 
described  shortly),  they  are  merged  into  a  single  trace-set  of  the  network  tree  being 
constructed.  Merging  compatible  trace-sets  simply  consists  of  forming  their  union 

Let  T i,  T2,  ....  Tn  be  the  computation  trees  for  processes  P/,  Po,  ....  Pn  respectively,  and  let 
tV  =  P;  ||  P~2  II ...  ||  P,.  The  tree  T  for  network  .V  is  defined  by  the  following  construction 


3  We  could  alternatively — and  equivalently — have  chosen  to  define  network  trees  independently  of  the  component 
process  trees,  but  the  constructive  definition  £iven  here  is  both  illustrative  of  the  model  and  useful  in  subsequent 
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Figure  5  Computation  tree  for  process  MERGE 


Figure  6.  Computation  tree  for  process  BUFFER 


[5  2  1 1  Combine  <Ti,  To,  ,  T7  )  = 

the  root  of  T  =  the  result  of  merging  the  roots  of  T t ,  To,  ....  Tn  . 


for  each  T,,  1  <  i  <  n 


let  G,  be  the  group  of  trace-sets  consisting  of  the  root  of  7”,  and  all  the  root's 


children 


consider  every  possible  group  of  trace-sets.  C.  where  G  is  constructed  by  choosing 


one  trace-set  from  each  G,  G  is  usable  if 


1 1 )  the  trace-sets  in  G  are  compatible,  and 
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(2)  merging  the  trace-sets  in  G  results  in  a  new  trace-set  that  extends  exactly 
one  trace  of  Ts  root  by  exactly  one  element ; 
for  each  usable  G 

add  a  child  to  the  root  of  T,  letting  this  trace-set  be  the  root  of  the  tree  defined 
by  Combined  set  of  subtrees  whose  roots  are  the  trace-sets  in  G). 

In  each  invocation  of  Combine,  one  set  of  process  tree  trace-sets  is  merged  into  a  single 
network  tree  trace-set,  followed  by  the  identification  of  all  possible  trace-sets  the  network  can 
achieve  in  some  "next  step”  The  recursive  definition  then  results  in  the  complete  network  tree, 
even  if  some  or  all  of  the  process  trees  are  infinite  (the  resulting  network  tree  need  not  also  be 
infinite)  Fig  7  shows  the  initial  part  of  the  network  tree  for  MERGE  |j  BUFFER ,  obtained  by- 
combining  the  process  trees  pictured  in  Figs  5  and  6 


Figure  7  Computation  tree  for  MERGE  ||  BUFFER 


5.3.  Valid  and  Precise  Specifications 

We  are  now  ready  to  define  the  relationship  between  STL  and  the  computation-tree  model 
Define  a  path  in  a  computation  tree  to  be  any  connected  sequence  of  trace  sets  beginning  with 
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the  root  and  descending  through  the  tree  until  a  trace-set  with  no  children  is  reached.  (If  no 
terminal  trace-set  is  reached  then  the  path  is  an  infinite  sequence.)  A  path  corresponds  to  a 
computation  of  the  process  or  network  being  modeled  by  the  computation  tree  For  any  process 
or  network  PN,  define  Comps(PN),  the  set  of  possible  computations,  to  be  the  set  of  all  paths  in 
the  computation  tree  for  PN. 

Denote  any  sequence  of  trace-sets  by  o  =  < oo ,  Oj,  02,  ...  ).  A  specification  S  is  valid  for  a 
process  or  network  PN  if 

(5.3.11  (Vo:  oi  CompsiPN):  (Vi:  0<i<lol:  ot  t=  S)).4 

That  is,  S  is  valid  for  PN  if  every  trace-set  of  every  sequence  in  CompsiPN)  satisfies  S  For 
notational  convenience  we  define  an  "always”  operator  ,  □  : 

[5.3.2]  a  t=  DS  iff  (Vi.  0<i  < ' al :  at  *=  S).5 

Definition  [5.3.11  of  validity  can  now  be  written  as  (Vo:  0  i  Comps(PN):  a  t=  □  S),  and  we  can 
establish  the  soundness  of  STL. 

[5.3.31  Theorem  (soundness  of  STL):  Let  N  be  a  network  and  S  a  specification  such  that 
iVsatS  is  provable  using  STL  Then  S  is  valid  for  N. 

Proof:  See  appendix. 

A  sequence  of  trace-sets  is  well-formed  if  it  could  appear  as  a  path  in  the  computation  tree 
for  some  process  or  network  because  the  sequence  does  not  violate  [5.0.11  or  [5.021  More 
formally: 

[5.3.4]  Definition:  a  is  well- formed  iff: 

(1)  All  channel  traces  in  the  initial  trace-set  of  0  are  empty,  and 

(2)  Each  trace-set  in  o,  except  the  first,  extends  exactly  one  trace  of  the  preceding 
set  by  exactly  one  element. 

We  can  now  formalize  Definition  [4.0. 1 1  of  a  precise  specification. 

[5.3  5]  Definition :  A  specification  S  is  precise  for  a  process  or  network  PN  iff: 

4  n .  fc  S  holds  if  the  channel  traces  in  a.  satisfy  specification  S. 

5  This  version  of  —  is  consistent  with  the  operator  ^  ("henceforth")  in  temporal  logic,  see  e.g.  [MP81  ].  The  temporal 

logic  operator  is  defined  as:  a  >=  —  S  iff  ( Vi:  0  Si<  lot:  a .,  a. .  ...  >  t=  S ),  but  when  S  itself  contains  no  temporal 

operators,  then  ((a.,  a..  ... )  S)  »  (a.  i=  S). 


(2)  Any  well-formed  sequence  of  trace-sets  a  satisfying  □  S  is  in  Comps(PN). 

(In  part  (2)  of  [5.3.51  we  tacitly  assume  that  the  trace-sets  of  a  do  not  include  extraneous 
channel  traces — i.e.  that  all  traces  in  a  are  histories  of  channels  actually  appearing  in  PN. )  It 
turns  out  that  the  composition  of  precise  process  specifications  results  in  a  network 
specification  that  is  also  precise. 

[5.3.6]  Theorem  < preciseness  preservation)-.  Let  Si  be  a  precise  specification  for  P,,  1  <i<n,  and 
let  iV  =  Pj  ||  P2  || ...  ||  P„.  Then  A,  S,  is  a  precise  specification  for  N. 

Proof:  See  appendix. 

6.  The  Temporal  Ordering  and  Prefix  Axioms 

Consider  a  network  N  =  Pi  ||  Po  II  ...  II  Pn-  Given  precise  specifications  Si,  S2,  ....  Sn  for  the 
component  processes,  N  sat  S  is  provable  if  and  only  if  A,  S,  =*>  S.  We  now  know,  by 
preciseness-preservation  theorem  [5.3.61,  that  A,  S,  is  a  precise  specification  for  .V.  Therefore, 
STL  would  be  relatively  complete  if  Si  =*  S2  whenever  Si  is  a  precise  specification  for  a 
network  N  and  S2  is  a  valid  specification  for  iV.  The  examples  of  Section  4  showed  that  the 
implication  does  not  always  hold  and  suggested  that  we  define  a  set  of  axioms  whose 
conjunction  A  guarantees  that  (Si  A  A)  =»  S2  We  will  prove  that  axiomatizations  of  the 
temporal  ordering  and  prefix  properties  (from  Section  4)  are  necessary  and  sufficient  for  such 
an  A. 

There  is  a  fundamental  difference  between  any  axiomatization  of  temporal  ordering  and 
specifications  SI  and  S2,  because  event  ordering  is  always  with  respect  to  an  entire 
computation — a  sequence  of  trace-sets — while  SI  and  S2  are  with  respect  to  individual  trace- 
sets.  We  employ  □  to  convert  a  specification  to  being  on  entire  computations  and  introduce 

[6.0. 1 1  Revised  Consequence  Rule:  N  sat  SI,  □  S2  \A  ^DS2 

.V  sat  S2 

6.1.  The  Temporal  Ordering  Axiom 

Our  first  axiom  characterizes  temporal  ordering  property  [4.1.4],  If  some  communication 
clx  happens  before  some  c2v,  then  lc2l  cannot  exceed  v  until  lc/1  exceeds  x  This  can  be 
expressed  as  □  (Ic2l>y  ^  lcll>x).  Note  that  this  assertion  captures  temporal  precedence  for 
any  channels  cl  and  c2  and  any  indices  x  and  _v,  even  if  x  =  y  or  cl  and  c2  are  the  same  channel 
We  are  only  interested  in  temporal  ordering  of  distinct  events,  so  the  case  in  which  clx  and  c2, 
are  produced  by  the  same  event  (i.e.  x  =  y  and  cl  and  c2  are  the  same  channel'  is  excluded  Now, 


if  □  ( Icf  i  > x  =>  Ic2l>y)  as  well,  then  neither  clz  nor  c2y  can  ever  happen,  equivalently 
□  (IcJIsSxA  lc2lSy). 

The  formalization  differs  slightly  from  the  preceding  discussion,  however.  All  >'s  are 
changed  to  5's  in  the  antecedent  of  the  rule  and  all  s’s  are  changed  to  <’s  in  the  consequent. 
Doing  so  allows  channel  traces  of  length  0  in  the  antecedent,  thereby  asserting  that  an  empty 
channel  trace  temporally  precedes  all  communication  events  on  that  channel.  Hence  we  state 
the  temporal  ordering  axiom  as 

[6.1.11  ORDERING:  If  cl  and  c2  are  channels,  i>1  and  y  50  are  indices,  and  either  x  *y  or  cl 
and  c2  are  distinct,  then  □  (Icll  2x  =  Ic2l  2y)  ^  □  (Icil  <x  A  Ic2l  <y). 

We  require  xS  1,  rather  than  x>0,  because  allowing  x  =  y  =  0  results  in  a  pathological  situation 
in  which  the  antecedent  is  trivially  true  (since  trace  lengths  are  always  at  least  0),  but  the 
consequent  is  trivially  false  (since  lengths  cannot  be  less  than  0). 

We  must  prove  that  the  axiom  is  sound. 

[6.1.2]  Theorem  (soundness  of  ORDERING):  o  t=  ORDERING  for  any  well-formed  sequence  of 
trace-sets  a. 

Proof:  See  appendix. 

6.2.  The  Prefix  Axiom 

An  additional  bit  of  notation  is  necessary  in  order  to  formulate  an  axiom  for  prefix  property 
[4.2.31.  For  any  i>0  and  trace-set  sequence  o,  let  Oc  ("the  next  value  of  c”)  be  defined  with 
respect  to  trace-set  o,  as  the  trace  of  channel  c  in  trace-set  o1  + 1  6  If  o  is  finite,  in  the  last  trace- 
set  let  Oc =  c  (since  there  is  no  next  trace-set).  In  effect,  we  convert  finite  sequences  to  infinite 
ones  by  repeating  the  final  trace-set.  Thus,  for  any  sequence  o,  every  channel  c  appearing  in  o 
has  a  corresponding  and  well-defined  value  oc  in  each  trace-set  of  the  sequence.  Intuitively,  the 
value  of  Oc  at  any  given  time  is  the  value  that  channel  trace  c  will  have  after  the  next 
computation  step 

We  now  state  the  prefix  axiom. 

[6.2.1]  PREFIX  If  c  is  any  channel,  then  □(c£oc). 

The  axiom  asserts  that  the  value  of  a  channel  trace  c  at  any  point  in  time  is  a  prefix  of  c's  trace 
at  any  later  time.  The  axiom  is  thus  equivalent  to  the  prefix  property  as  stated  in  Section  4.2. 

6  Operator  O  corresponds  to  the  "next"  operator  'if  temporal  logic  [  MP81 ).  Do  not  confuse  this  with  a  second  use  of  O 
in  temporal  logic,  where  O  operates  over  formulas:  o  *=  OS  tffo. .  ;  (=S. 


[6.2.2]  Theorem  (soundness  of  PREFIX)',  o  t=  PREFIX  for  any  well-formed  sequence  of  trace- 
sets  o. 

Proof.  Let  o  be  any  well-formed  sequence  of  trace-sets,  a  ^  PREFIX  follows  directly  from  the 
definition  of  well-formedness:  Since  ot  + 1  extends  exactly  one  trace  of  a,  by  exactly  one  element 
(for  all  0^  i  <  lol  —  1),  every  channel  trace  c  in  o,  is  a  prefix  of  the  corresponding  trace  in  o,+  j.  If 
i  =  lol  —  1,  then  by  definition  c  =  Oc.  Therefore  PREFIX  is  a  sound  axiomatization  of  the  prefix 
property.  0 

6.3.  Necessity  and  Sufficiency  of  the  Axioms 

By  letting  A -ORDERING  A  PREFIX,  we  can  prove  that  if  Si  is  a  precise  specification  for 
network  N  and  S2  is  a  valid  specification  for  N,  then  DSi  A  .4  =>  □  S2  In  addition,  we  will 
argue  that  ORDERING  and  PREFIX  are  necessary  axioms  for  this — if  either  axiom  is  removed 
from  A  then  we  can  find  a  network  N  with  precise  and  valid  specifications  SI  and  S2 
(respectively)  such  that  □  SI  and  A  do  not  imply  □  S2.  We  begin  with  a  key  lemma. 

[6.3.1]  Lemma  ( well-formedness ):  A  sequence  of  trace-sets  a  is  well-formed  if  and  only  if 
a  t=  ORDERING  A  PREFIX. 

Proof  See  appendix. 

With  this  lemma  in  hand,  we  can  easily  prove  that  our  two  axioms  are  sufficient  for  relative 
completeness. 

[6.3  2]  Theorem  (sufficiency  of  the  axioms):  IfS/  is  a  precise  specification  for  network  .V  and  S2 
a  valid  specification  for  N,  then  (US/  A  ORDERING  A  PREFIX  =>  DS2. 

Proof  We  show  that  that  any  sequence  of  trace-sets  o  satisfying  □  SI.  ORDERING,  and 
PREFIX,  also  satisfies  DS2.  Since  o  t=  ORDERING  A  PREFIX,  by  Lemma  [63  1)  we  know 
that  o  is  well-formed  Now  recall  from  the  formal  definition  of  preciseness  ([5  3  5])  that  any 
well-formed  sequence  satisfying  a  precise  specification  is  a  path  in  the  computation  tree  for  the 
corresponding  process  or  network.  Since  o  is  well-formed  and  o  £=  □  Si,  by  the  preciseness  of  SI 
we  conclude  that  o  (  COMPS(N).  Finally,  by  the  validity  of  S2,  every  sequence  in  COMPSi S') 
satisfies  □  S2,  so  o  t=  □  S2  0 

Thus  with  ORDERING  and  PREFIX,  we  ensure  that  any  valid  network  specification 
follows  from  a  precise  specification  for  the  network.  (In  fact,  by  preciseness-preservation 
theorem  [5.3.6],  only  precise  specifications  for  the  component  processes  are  needed  I  Both 
axioms  are  necessary  for  the  implication  to  always  hold,  as  well  as  sufficient,  as  is  shown  in  our 

final  theorem: 


(6.3.21  Theorem  (necessity  of  the  axioms/.  There  exist  networks  i VI,  N2,  and  N3,  with  precise 
specifications  Sip,  S2p,  S3p  (respectively)  and  valid  specifications  SI  v,  S2y,  S3 v  (respectively), 
such  that. 

(1)  ->  (D  Sip  A  ORDERING  =$  □  S/y  ) 

(2)  -» (  □  S2p  A  PREFIX  =>  □  S2V  ) 

(3)  ~ 1  (  D  S3p  =>  D  S3y  ) 

Proof:  (1)  Let  N1  be  the  example  network  of  Section  4  2  (2)  Let  S2  be  the  example  network  of 
Section  4.1.  (3)  Follows  directly  from  (1)  and  (2)  3 

7.  Conclusions,  Comparisons,  and  Future  Work 

STL  is  a  simple  trace-based  proof  system  for  networks  of  processes,  with  specification 
language  and  inference  rules  similar  to  those  in  most  existing  trace  logics  [Br84,  CH81,  HH8'.., 
Ho81,  Ho85,  Jo85,  MC81,  Mi80,  NDG086,  ZRE84).  Like  other  simple  trace  logics  [CH81,  Ho81, 
Ho85,  MC81],  STL  is  incomplete,  and  we  have  proved  that  axiomatizations  of  the  temporal 
ordering  and  prefix  properties  are  necessary  to  achieve  relative  completeness  Since  these  two 
axioms  are  essential  components  of  a  relatively  complete  proof  system,  it  is  interesting  to  look 
at  existing  complete  systems  and  identify  how  the  axioms  are  represented 

Several  proof  systems  involve  explicit  reasoning  about  every  possible  interleaving  of 
communication  events  [Br84,  HH83,  Mi801;  within  the  system  all  possible  computations  must 
actually  be  listed.  It  is  clear  that  such  a  logic  will  be  complete,  since  an  exhaustive  list  of 
potential  computations  is  an  exact  characterization  of  process  or  network  behavior,  including 
(implicitly)  the  constraints  of  the  temporal  ordering  and  prefix  properties  Naturally,  the 
difficulty  is  the  exponential  number  of  possible  computations.  Verifying  the  specification  of 
any  but  very  simple  networks  could  be  a  formidable  task  with  such  a  formalism. 

The  proof  system  in  [ZRE84]  is  designed  both  for  the  specification  of  sequential  processes 
and  for  the  verification  of  their  behavior  when  connected  into  a  network  Thus,  Hoare-stvle 
triples  and  inference  rules  are  given  (in  the  style  of  [AFR80,  LG8 1  ]) .  as  well  as  a  means  for 
reasoning  about  specifications  over  channel  traces  The  logic  includes  a  statement  of  the  prefix 
property,  written  essentially  as  {  Tr  =  c  }  Pgm  {  Tr  Q  c  },  where  Pgm  is  any  program  segment. 
(The  interpretation  is:  If  execution  of  Pgm  begun  in  any  state  in  which  channel  trace  c  has 
value  Tr  terminates,  then  upon  termination  Tr  is  a  prefix  of  c.)  Reasoning  about  the  temporal 
ordering  property,  however,  is  achieved  only  by  enumerating  all  possible  interleavings  of  the 
communication  events  of  interest.  Again,  this  can  result  in  an  exponential  number  of  cases  to 
consider 


In  [ZRE84],  the  authors  also  discuss  the  incompleteness  of  [MC81]  and  suggest  a  rule  that 
would  render  it  relatively  complete.  (A  similar  rule  is  proposed  in  [Ng85].)  Informally,  the  rule 
asserts  the  following:  Let  S  be  a  valid  specification  for  network  N  and  t  be  an  interleaved  trace 
of  all  communication  events  during  any  computation  of  N.  Then  every  prefix  of  t  satisfies  S. 
This  rule  certainly  captures  the  prefix  property,  and  the  temporal  ordering  property  is  encoded 
as  well.  To  see  this,  suppose  specification  S  constrains  two  communication  events  clz  and  c2v 
(say)  to  occur  simultaneously.  Any  trace  t  including  only  one  of  clx  and  c2v  will  not  satisfy  S, 
and  thus  cannot  be  a  computation  of  AT  Suppose,  then,  that  both  events  are  included  in  t. 
Consider  any  prefix  p  of  t  that  contains  one  event  but  not  the  other  (Such  a  prefix  must  exist.) 
Then  p  will  not  satisfy  S,  since  only  one  of  cl x  and  c2y  appears  in  p.  Hence  no  computation  of  N 
can  include  either  event. 

In  [Jo85],  the  fact  (and  problem)  that  valid  specifications  do  not  always  follow  from  precise 
specifications  is  identified,  but  no  actual  solution  is  proposed.  The  author  suggests  adding  a 
proof  rule  of  the  form 

N  sat  Si 
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N  sat  S2 

which  can  be  used  whenever  Si  and  S2  are  such  that  any  network  satisfying  SI  will  also  satisfy 
S2  With  a  rule  of  inference  like  this,  the  issues  of  behavioral  properties  such  as  temporal 
ordering  can  essentially  be  ignored,  but  consequently  there  is  no  formal  method  for  deciding 
when  a  pair  of  specifications  is  a  candidate  for  an  application  of  the  above  rule. 

The  proof  system  of  [NDG086)  is  based  on  temporal  logic,  so  it  is  straightforward  to 
formulate  ordering  constraints  between  network  events  in  the  logic.  In  addition,  a  number  of 
axioms  for  behaviors  are  defined,  including  assertions  that  all  traces  are  initially  empty,  that 
only  one  communication  event  can  occur  in  a  single  time-step,  that  the  prefix  property  holds, 
etc  These  axioms  for  behaviors  are  also  stated  in  temporal  logic. 

Our  ORDERING  and  PREFIX  axioms  could  be  formulated  in  temporal  logic,  since  the 
operators  □  and  o  are  subsumed  by  the  corresponding  operators  of  temporal  logic  However, 
we  have  actually  drawn  upon  only  a  relatively  small  subset  of  temporal  logic  In  particular,  we 
use  Oc.  but  do  not  need  the  formula  version  of  O;  we  use  □  S,  but  only  in  the  special  case  when  S 
is  non-temporai.  Although  temporal  logic  is  a  convenient  language  in  which  to  perform  the 
types  of  reasoning  needed  for  our  axioms,  temporal  logic  may  be  far  more  powerful  than  is 
necessary.  Our  contribution  here  is  to  identify  the  subset  of  temporal  logic  needed  to  achieve 


relative  completeness. 

The  next  step  in  our  work  is  to  extend  the  language  of  STL  to  enable  our  two  axioms  to  be 
expressed.  Our  goal  is  to  create  as  simple  a  trace  logic  as  possible,  but  one  that  is  still  relatively 
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complete.  Since  we  have  shown  that  ORDERING  and  PREFIX  are  necessary  and  sufficient 
property  axiomatizations,  they  will  be  our  guide  in  devising  such  a  proof  system 

Appendix 

[5.3.31  Theorem  (soundness  of  STL):  Let  AT  be  a  network  and  S  a  specification  such  that 
AfsatS  is  provable  using  STL.  Then  S  is  valid  for  N. 

Proof  Since  we’re  assuming  validity  of  process  specifications,  proving  this  theorem  consists  of 
showing  that  whenever  the  antecedent  of  an  STL  inference  is  valid,  so  is  the  consequent 

[3.3  1)  Network  Composition  Rule:  (Vi:  l<i<n:  P ,  sat  S,  ) 

Pi  IIP* l|  .  II P„  sat  A,  S, 

Assume  each  St  is  valid  for  P„  so  (Vo:  o  €  CompsiPj:  o  *=  □  S,).  We  must  show  that  (Vo: 
o  t  Comps(N):  o  t=  □  A,  St),  where  N  =  Pi  ||  P2  II  ...  ||  Pn.  Consider  an  arbitrary  conjunct  S,  and 
an  arbitrary  o  €  CompsiN).  Let  Oj  be  any  trace-set  of  0.  If  we  construct  of  by  removing  from  Oj 
all  traces  of  channels  that  are  not  incident  to  process  P,  then — by  the  method  of  constructing 
network  trees  from  component  process  trees — we  obtain  a  trace-set  that  must  appear  in  some 
o  «  CompsiP [)  Therefore,  of  t=  S„  because  St  is  valid,  and  o}  S,  as  well,  since  the  traces  that 
were  removed  from  Oj  cannot  appear  in  S,.  Since  o,  is  an  arbitrary  trace-set  of  an  arbitrary 
sequence  in  Comps(N),  we  know  (Vo:  a  €  CompsiN):  0  □  S,)  The  conjunct  S,  was  also  chosen 

arbitrarily,  so  we  can  conclude  that  (Vo:  o  e  CompsiN):  0  ►=  □  A,  S,).  Thus  A,  S,  is  valid  for  N. 

[3.3.21  Consequence  Rule.  N  sat  Si,  SI  =*  S2 

N  sat  S2 

Let  Si  be  valid  for  N  From  (Vo:  o  «  CompsiN):  o  1=  □  Si)  and  SI  =t>  S2,  by  predicate  logic  we 
conclude  (Vo:  o  «  Comps  (AD:  0  t=  □  S2)  Therefore  S2  is  also  valid  for  N  13 

[5  3  6]  Theorem  (preciseness  preservation):  Let  S,  be  a  precise  specification  for  P„  1  <  1  <  n,  and 
let  N  =  Pi  ||  P-2  ||  .  ||  Pn  Then  A,  S,  is  a  precise  specification  for  N 

Proof  We  must  show  that  A,  S[  satisfies  both  parts  of  Definition  [5.3.5 1. 

( 1)  (A,  Sj  is  valid  for  N.)  Since  the  St  are  precise  specifications  for  their  respective  P„  they  are 
valid  We  must  then  show  that  A,  Sl  is  valid  for  N.  This  was  proven  in  part  (1)  of  Theorem 
[5  3  31  (the  soundness  theorem). 

(2)  (If  o  is  any  well-formed  sequence  of  trace-sets  such  that  o  □  A,  S,,  then  o  e  CompsiN).) 
For  any  process  P,  define  Projectio,  P)  to  be  the  sequence  of  trace-sets  o'  that  results  from 
restricting  the  trace-sets  in  o  to  those  channels  that  are  incident  to  P  and  then  eliminating  all 


trace-sets  that  duplicate  their  immediate  predecessor  in  the  sequence.  Using  Projectio,  P)  we 
can  take  a  path  representing  a  computation  of  a  twork  and  extract  the  trace-set  sequence 
that  shows  how  a  single  process  behaved  during  this  computation.  Now,  let  a  be  any  well- 
formed  sequence  of  trace-sets  such  that  a  t=  □  A,  S,.  We  must  show  that  a  t  Comps(N).  Let 
ai=Project(o,  P j),  02  =  Projecfto,  P2),  etc.  By  definition,  ot  t=  □  S,,  lSi<n.  Thus,  by  the 
preciseness  of  each  of  the  S„  o,  t  Comps(Pt).  Lastly,  we  use  the  algorithm  for  network  tree 
construction  to  conclude  that  o  t  Compst  N).  3 

[6.1  21  Theorem  ( soundness  of  ORDERING):  If  o  is  any  well-formed  sequence  of  trace-sets, 
then  o  1=  ORDERING. 

Proof:  Let  o  be  an  arbitrary  well-formed  sequence  of  trace-sets.  We  must  show  that  if 
o  □<lcII2x  s  ic2lSy)  then  o  ^  □  (loll  <x  a  Ic2l  <y).  Assume  that  □  (Icf  I  2x  =  Ic2l  >y) 
holds  for  o,  and  suppose,  for  the  sake  of  a  contradiction,  that  □  (lcfl<x  a  Ic2l<y)  does  not. 
Thus,  there  is  a  trace-sct  of  o  in  which  (Icf  I  >x  V  Ic2l  Sy).  Let  i  be  the  smallest  index  for  which 
this  is  true:  (Icfi2x  '  Ic2l^y)  is  true  in  o„  but  does  not  hold  in  any  Oj  for  j<  1.  Since  (lcfl>x  v 
Ic2l  Sy)  is  true  ir  o,,  by  0  □  (Icf  I  >x  =  Ic2l  >y)  we  know  that  (Icf  I  >1  A  Ic2l  >y)  holds  in  o,.  By 

1  (recall  Definition  [6  1. 1 1),  1  >0,  since  all  traces  in  00  are  empty.  So  consider  trace-set  o,_  1 
By  the  definition  of  a  well-formed  sequence,  o,  extends  exactly  one  trace  of  o,  _ !  by  exactly  one 
element.  Therefore  unce  (lc/l>x  A  Ic2l  >y)  holds  in  0,,  (Ic/I^x  V  Ic2l  2y)  must  hold  in  o,_  t. 
This  contradicts  the  assumption  that  i  is  the  smallest  index  for  which  o,  t=  (lc/1  >x  v  Icil  >v). 
Thus,  o  1=  □  (Icf  I  <x  A  Ic2l  <y)  and  o  t=  ORDERING.  S 

[6.3.1]  Lemma  ( well-formedness ):  A  sequence  of  trace-sets  o  is  well-formed  if  and  only  if 
o  t=  ORDERING  A  PREFIX. 

Proof:  (=*]  (If  o  is  well-formed  then  o  ORDERING  A  PREFIX.)  This  is  simply  a  statement 
that  axioms  ORDERING  and  PREFIX  are  sound,  which  was  proven  in  Sections  6  1  and  6.2 

(«=]  (If  0  l=  ORDERING  A  PREFIX  then  0  is  well-formed.)  Consider  any  0  that  satisfies 
ORDERING  and  PREFIX,  we  must  show  that  o  is  well-formed.  We  prove  the  (equivalent) 
contrapositive:  If  o  is  not  well-formed,  then  o  does  not  satisfy  ORDERING  A  PREFIX  Let  0  be 
any  sequence  of  trace-sets  that  is  not  well-formed  By  Definition  [5  3  4]  of  well-formedness,  0 
then  must  exhibit  at  least  one  of  the  following  conditions: 

[A.  1 1  In  the  initial  trace-set  all  channel  traces  are  not  empty 
[A. 2]  Some  channel  trace  decreases  in  length. 

[A. 3]  Some  channel  trace  increases  in  length  by  more  than  1 . 

[  A. 4 1  Two  channel  traces  increase  in  length  at  the  same  step. 
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[A. 5]  Some  channel  trace  element  takes  on  more  than  one  value.  (A  value  changes 
spontaneously  between  trace-sets  on  a  path) 

(The  negation  of  well-formedness  condition  (1)  from  Definition  [5.3  4]  is  [A.  11,  while  negating 
condition  (2)  results  in  [A. 2]  through  [A. 51.)  We  must  show  that  in  every  case,  one  of 
ORDERING  and  PREFIX  is  violated.  The  proof  proceeds  by  induction  on  the  length  of  a 

Base  case:  lol  =  l.  Since  o  has  only  one  trace-set,  a  must  be  ill-formed  due  to  case  [A.l] — all 
channel  traces  are  not  empty  in  oq.  Let  lcl  =  i  in  oq  for  some  channel  c  and  some  x5  1  Then 
o  ►=  C  (Icl  SO  ^  let  >i).  Trivially,  o  l=  □  del  2x  =*  Icl  SO),  so  a  t=  C  del  SO  =  Icl  Sx).  By 
ORDERING  we  conclude  o  □  ( Icl  < x  a  Icl  < 0).  This  last  assertion  is  not  true,  and  thus 
ORDERING  does  not  hold  for  o. 

Induction :  lol  =  n+  1,  nS  1.  Suppose,  as  the  induction  hypothesis,  that  any  o'  of  length  n  that  is 
not  well-formed  violates  ORDERING  and/or  PREFIX.  Now  consider  o.  If  (oo  ■  o„_  i)  is  not 
well-formed,  then  by  the  induction  hypothesis  we  are  done.  So  assume  that  (oq  ..  o„_  i)  is  well- 
formed.  Then  the  ill-formedness  of  o  must  occur  between  trace-sets  o„  _  i  and  on  and  must  be  of 
type  [A. 21,  [A. 31,  [A.4J,  or  (A.5|  above.  By  cases: 

[A. 21  (Some  channel  trace  decreases  in  length.)  Let  Icl  =x  in  o„_ i  and  Icl -y  in  o„,  for  some  c 
and  x  >y.  Then  c  S  Oc  does  not  hold  in  o„,  □  (c  5  Oc)  is  not  valid  for  o,  and  hence  PREFIX  is 
violated. 

[A. 31  (Some  channel  trace  increases  in  length  by  more  than  1.)  Suppose  Icl  =  .r  in  o„_[  and 
Icl  =  x  +  y  in  on,  for  some  c,  x,  and  y  >2  Recall  that  (oq  ..  o„_  i>  is  well-formed  (by  hypothesis),  so 
we  know  (oo  ..  a„_  i)  □  (Icl  ^x),  since  Icl  Sx  in  o„_  j.  Therefore  o  &=  □  del  Sx  +  1  =>  Icl  Sx  +  y). 
Now  since  □  (Icl  Sx  +  y  =3  Icl  >x+  1)  holds  trivially,  we  obtain  o  □  del  Sx  +  1  *lclSx  +  y).  It 
is  not  the  case,  however,  that  o  *=  Q  (let  <x  +  1  a  Icl  <x  4-y).  Thus  ORDERING  does  not  hold. 

[A. 4)  (Two  channel  traces  increase  in  length  at  the  same  step.)  Let  Ic/l  —  x  and  Ic2l  —y  in  an_ 
and  let  Icil  =x+  1  and  Ic2l  =y  +•  1  in  o,_i,  for  some  cl,  c2,  x,  and  y.  Since  (oo  .  o„_  i)  is  well- 
formed,  o  t=  □  (lc/ISx+1  *  Ic2isx+y).  Then  by  ORDERING  it  should  be  the  case  that 
ol=n(lcil<x  +  l^  Ic2l  <x  +  y).  This  assertion  is  not  valid,  so  ORDERING  is  violated. 

[A  51  (A  channel  trace  element  takes  on  more  than  one  value.)  Suppose  there  is  a  channel  trace 
element  cx  such  that  cx  =  a  in  t,  cx  =  b  in  on,  and  data  items  a  and  6  are  not  identical  Then 
cQ  Oc  does  not  hold  in  o„,  □  (c  Q  oc)  is  not  valid  for  o,  and  PREFIX  does  not  hold 

We  have  shown  that  if  a  exhibits  one  of  the  five  cases  above,  then  o  does  not  satisfy  both  of 
ORDERING  and  PREFIX  Suppose  that  in  fact  o  is  ill-formed  in  more  than  one  wav  Then 
consider  a  condition  that  involves  a  single  channel — only  case  (4)  involves  two  channels — and 
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reasoning  as  above  guarantees  that  one  of  ORDERING  and  PREFIX  is  still  violated  Thus  we 
have  shown  that  any  o  satisfying  ORDERING  and  PREFIX  is  well-formed  Together  with  the 
first  half  of  the  proof:  a  sequence  of  trace-sets  a  is  well-formed  if  and  only  if  a  f=  ORDERING  A 
PREFIX  a 
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